ECE596C: Handout #4
Elements of Shannon’s Approach to Cryptography
Electrical and Computer Engineering, University of Arizona,
Loukas Lazos
Abstract. In this lecture we provide a formal measure of security and define the notion of
perfect secrecy. We analyze the security of the one-time pad cryptosystem. We also state basic
theorems of information theory for the entropy of a random variable. Readings from Chapter
2 of D. Stinson.
1
Towards a measure of the security of a cryptosystem
Definitions of security:
1. Computational Security: The computational effort required by Eve to break a cryptosystem.
A cryptosystem is computationally secure if the best known algorithm requires at least a large
number of operations N. Can only be proved against specific types of attacks.
2. Provable Security: Prove security by means of reduction to a well known problem that is
thought to be difficult to solve. Proofs of that sort usually involve statements of the sort, “if Eve
is able to break cryptosystem A, then she can also solve problem X in a computationally efficient
way.” Examples of well known mathematical problems that are assumed hard to be solved are
the prime factorization of large numbers and the discrete logarithm problem.
3. Unconditional Security: A cryptosystem is said to be unconditionally secure if it cannot
be broken even if Eve has an unbounded amount of computational resources at her disposal.
2
Perfect Secrecy
Let a cryptosystem be defined by the 5-tuple (P, C, K, E, D). Let’s also assume that there is a
probability distribution on the plaintext space P, like the one we defined when the plaintext space
was the English language. The a priori plaintext distribution is denoted by Pr[x = x]. Let also
the key K ∈ K be randomly (uniformly) selected from the keyspace K, with the probability that
key K is selected to be denoted as Pr[K = K]. The two probability distributions on P, K induce
a probability distribution on the cipherspace C. If y denotes a random variable expressing the
ciphertext, the probability of obtaining the ciphertext y is:
X
Pr[y = y] =
Pr[K = K]Pr[x = dK (y)].
(1)
{K:y∈C}
The conditional probability of obtaining ciphertext y given that the plaintext is x is given by:
X
Pr[y = y|x = x] =
Pr[K = K].
(2)
{K:x=dk (y)}
2
ECE 596C: Cryptography for Secure Communications with Applications to Network Security
Using Bayes rule, we can now compute what is the probability of the plaintext being x given that
the ciphertext y has been observed.
P
Pr[x = x] × {K:x=dk (y)} Pr[K = K]
P
Pr[x = x|y = y] =
.
(3)
Pr[y = y] = {K:y∈C} Pr[K = K]Pr[x = dK (y)]
Example:
Let P = {a, b}, with Pr[a] = 0.25 and Pr[b] = 0.75. Let also K = {K1 , K2 , K3 } having probability
distribution of 0.5, 0.25, 0.25, respectively. Let the ciphertext be C = {1, 2, 3, 4} with the encryption
function be given by the following matrix
K1
K2
K3
a
1
2
3
b
2
3
4
Table 1. The encryption matrix.
Given the probability distributions for P, K we can compute the probability distribution of C as
follows:
1
4
1
Pr[2] =
2
1
Pr[3] =
4
1
Pr[4] =
4
Pr[1] =
1
1
=
4
8
3 1 1
7
× + × =
4 4 4
16
3 1 1
1
× + × =
4 4 4
4
3
×
4
×
(4)
(5)
(6)
(7)
We can now compute the conditional probability for the plaintext x ∈ P given that a specific ciphertext was observed.
Pr[a|1] = 1
1
Pr[a|2] =
7
1
Pr[a|3] =
4
Pr[a|4] = 0
Pr[b|1] = 0
6
Pr[b|2] =
7
3
Pr[b|3] =
4
Pr[b|4] = 1
(8)
Based on the above example, it becomes evident that given the above cryptosystem, Eve can determine the plaintext by just observing the ciphertext, with a very high probability.
Definition 1. A cryptosystem has perfect secrecy if Pr[x|y] = Pr[x]. That is, observing the ciphertext y does not reveal any information about the plaintext x.
Handout # 4
Theorem 1. Let 26 keys be used in the Shift Cipher with equal probability
probability distribution, the Shift Cipher is secure.
1
26
3
. For any plaintext
Theorem 2. Suppose (P, K, C, E, D) is a cryptosystem for which |P| = |C| = |K|. This cryptosystem
provides perfect secrecy if and only if the probability distribution on the set of keys is uniform, and
∀x ∈ P, y ∈ C, there exists a unique key K such that eK (x) = y.
Proof. Let (P, K, C, E, D) provide perfect secrecy. Then, according to the theorem, ∀x ∈ P, y ∈ C,
there exists a key K such that eK (x) = y, and we can write the inequalities
|C| = |{eK : K ∈ K}| ≤ |K|.
(9)
But by assumption |C| = |K| and hence, the above inequality holds as an equality.
|C| = |{eK : K ∈ K}| = |K|.
(10)
This equality states that there do not exist two different keys K1 , K2 , such that eK1 (x) =
eK2 (x) = y, and for any x ∈ P, there exists a unique key K such that eK (x) = y.
Let the plaintext P = {xi : 1 ≤ i ≤ |K|} and fix a ciphertext element y ∈ C. Let also the key set
be K = {Ki : 1 ≤ i ≤ |K|}, be arranged in such an order that eKi (xi ) = y . Using Bayes’ theorem,
Pr[xi |y] =
Pr[K = Ki ]Pr[xi ]
Pr[y|xi ]Pr[xi ]
=
.
Pr[y]
Pr[y]
(11)
According to the perfect secrecy condition Pr[xi |y] = Pr[xi ], and hence, Pr[Ki ] = Pr[y], 1 ≤
i ≤ n. That is that each key is selected with equal probability Pr[y]. Since the number of keys is
1
|K|, this probability is equal to Pr[K] = |K|
, ∀K ∈ K.
Conversely, if |P| = |C| = |K|, and the probability distribution on the set of keys is uniform, and
∀x ∈ P, y ∈ C, and there exists a unique key K such that eK (x) = y, it is very easy to show that the
cryptosystem provides perfect secrecy following a process similar to the proof of the perfect secrecy
of the stream cipher.
3
One-time Pad
This idea was developed by Vernam. The key is used to encrypt only once and is represented as a
binary string. If P = C = K = Z26 then eK (x) = x ⊕ K or (x + K) mod 2. And dK (y) = y ⊕ K or
(y + K) mod 2. As an example, Alice performs encryption as:
PLAINTEXT: 0 1 0 1 1 0
KEY:
101101
CIPHER:
111011
Bob does decryption as:
More formally, we can describe a one-time pad as follows.
The key vector K = (K1 , K2 , ..., Kn ) and P = C = K = (Z2 )n .
y = eK (x) = (x1 + K1 , x2 + K2 , .., xn + Kn ) mod 2,
(12)
dK (y) = (y1 − K1 , y2 − K2 , .., yn − Kn ) mod 2.
(13)
4
ECE 596C: Cryptography for Secure Communications with Applications to Network Security
CIPHER:
111011
KEY:
101101
PLAINTEXT: 0 1 0 1 1 0
With little bit of algebra we can show that the knowledge of y reveals nothing about x or K. This
can be written as P (x|y) = P (x) which means that the probability of x is such that the observation
of y leaves us with same amount of uncertanity as before. Such a cryptosystem is then said to have
Perfect Secrecy. Note that the key has to be used only once.
We give another example for one-time pad here:
x:
K:
y = eK (x) = x ⊕ K:
dK (y) = y ⊕ K:
1
0
1
1
1
1
0
1
0
1
1
0
1
0
1
1
1
1
0
1
0
1
1
0
0
1
1
0
1
0
1
1=x
As an additional example consider the previous coin toss experiment. Let the outcome H = 0
and T = 1. Then P (X = 0) = 12 and P (X = 1) = 12 . Also let P (K = 0) = 12 and P (K = 1) = 21 .
With Y = X ⊕ K we have the following:
X
0
0
1
1
K
0
1
0
1
Y
0
1
1
0
We can see that P (Y = 0) = 21 and P (Y = 1) = 12 . Now P (Y = 0|X = 0) =
= P (X ⊕ K = 0|X = 0) = P (K = 0) = 12 = P (Y = 0). Hence Y is independent of X.
P (Y =0,X=0)
P (X=0)